Layer7 API Management

Expand all | Collapse all

Verify and decrypt WS Secure SOAP message in Gateway

Jump to Best Answer
  • 1.  Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-26-2016 07:15 AM

    Is there any assertion available to verify and decrypt incoming WS Secure SOAP message? 

     

    Thanks,

    Siddharth



  • 2.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-27-2016 01:50 AM

    Siddharth,

     

    Once a SOAP service is published through the Policy Manager, the SOAP based WS-Security/WS-Secure assertions can be used to validate portions of the message payload. The assertion to validate encryption is the Require Encrypted Element Assertion which can be found under the same section name in the documentation or for WS-Secure conversation then reviewing the section Require WS-Secure Conversation Assertion.

     

    I hope this helps start you forward. Please let us know if this helps.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-29-2016 12:29 AM

    Could you please provide an example policy how to use it on incoming WS-Secure message?

     

    Thanks,

    Siddharth



  • 4.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-29-2016 12:37 AM

    Siddharth,

     

    Do you have a sanitized message that I can view to make sure I provide the right information?

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-29-2016 12:48 AM

    Could you please provide me an email Id where I can send the message. Don't want to put it on public forum. My email Id is shidharth.jaiswal@icicibank.com 



  • 6.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-29-2016 02:23 AM

    Have sent the message at communityadmin@communities-mail.ca.com 



  • 7.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-29-2016 12:55 PM

    Siddharth,

     

    For some reason which I will look into, the WCF component of the online documentation did not include the components that use to exist in the shipped PDF back in 8.2. I've attached that Layer 7 Policy Manager User Manual  document plus several sample policies to help with the various roles that the gateway can act in for Secure Conversation. In the user manual look at the "How to Integrate the Gateway with WCF"

    Scenario 1: Gateway as Pass-Thru

    In this scenario, the gateway sits in the middle of the client and the end service. The secure conversation session is established for the gateway and the endpoint service, but the session is also shared by the client and the gateway. Think of it as a "legitimized Man-In-The-Middle attack".

    Overview "Gateway As Pass-Thru"
    • The gateway receives a RST/SCT request from the client to establish a secure conversation with the endpoint service.
    • The gateway forwards the request to the endpoint service.
    • The gateway receives a RSTR/SCT response with a SCT from the endpoint service.
    • The gateway establishes an outbound secure conversation session by using the SCT.
    • The gateway forwards the RSTR/SCT response (without any mediation) to the client.
    • The gateway receives a service request (i.e., business request) from the client to request an actual service.
    • The gateway makes a mediation on the service request, re-decorates it, and sends it to the endpoint service.
    • The gateway receives a service response from the endpoint service.
    • If no need to mediate the response, then the gateway directly forwards the service response to the client.
    • If there needs to mediate the response, then gateway processes/parses the response message, modify it, re-decorates it, and sends it back to the client.

    Scenario 2: Gateway as WCF Client

    In this scenario, the gateway acts as WCF Client, which establishes a secure conversation with the WCF service and then sends the service/business request to the WCF service.

    Overview "Gateway as WCF Client"
    • The gateway receives a service request from the client application.
    • The gateway sends a RST/SCT request to the STS to establish a secure conversation.
    • The gateway receives a RSTR/SCT response with a SCT from the STS.
    • The gateway sends a RST/Issue request to the STS to request a SAML token, which will be used later to authenticate the gateway in the end service.
    • The gateway receives a RSTR/Issue response with a SAML token from the STS.
    • The gateway builds a RST/SCT request with the SAML token and send the request to the endpoint service to establish a secure conversation.
    • The gateway receives a RSTR/SCT response with a SCT from the endpoint service and establish an outbound secure conversation.
    • The gateway sends a service request protected by the shared secret to the end service.
    • The gateway receives a service response request from the endpoint service.
    • The gateway processes and modifies the response (If the decoration is needed, then decorate the response message before sending it back to the client application.)
    • The gateway sends the response message back to the client application.

    Scenario 3: Gateway as WCF Service

    In this scenario, the gateway acts as WCF Service, which establishes a secure conversation with a WCF client and handle the client's service request.

    Overview "Gateway as WCF Service"
    • The gateway receives a RST/SCT request (maybe with a SAML token) from the client, which wants to establish a secure conversation with the gateway.
    • The gateway sends the RST/SCT request to an Security Context Token internal service, which generates a SCT.
    • The gateway receives a RSTR/SCT response with a SCT and a server entropy.
    • The gateway sends the client the RSTR/SCT response with the SCT and the server entropy.
    • The gateway receives a service request from the client.
    • The gateway undecorates the service request secured by the SC session and then handle the service request.
    • The gateway generates a service response (secured by the SC session) and sends it back to the client
    • The gateway receives a RST/Cancel request from the client to cancel the secure conversation.
    • The gateway sends a RSTR/Cancel response to the client after the secure conversation is canceled.

    Sincerely,

     

    Stephen Hughes

    Director, CA Support

    Attachment(s)



  • 8.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-30-2016 01:33 AM

    Hi Stephen,

     

     Not sure how much above information will be useful in the issue which I am facing. 

    We are receiving a WS Secure SOAP message from other party. The message is signed (using their private key) and encrypted (using our public certificate). We are not sure how we can use the assertions to first decrypt (using our private key) and then verify (using their public certificate). Please provide a sample policy, if available.

     

    Thanks,

    Siddharth



  • 9.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-30-2016 01:52 AM

    Siddharth,

     

    The confusion was with the wording as you are looking for WS-Security Encryption and Signature not WS SecureConversation. We have a video in the community called "Encryption and signing of messages - basic concepts.mp4" which walks through enforcing encryption and signing along with the policies, WSDLs, SOAPUI projects and such in the "Encryption and signing of messages - documents.zip" file in the community.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 10.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 08-30-2016 08:10 AM

    Hi Stephen,

     

     Thanks for the documents. I went through those, however issue is still unresolved. We are getting a WSS message which is compliant with security policy similar to given at :

    2.1.3.1  (WSS 1.0) Encrypted UsernameToken with X.509v3 (OASIS Specification Template )

    Not getting way to verify username token and signature and then decrypt the body. I have also raised a support case#00494616, where I have uploaded the security policy file and incoming WSS message. You may refer that too.

     

    Thanks,

    Siddharth



  • 11.  Re: Verify and decrypt WS Secure SOAP message in Gateway
    Best Answer

    Posted 09-27-2016 03:48 PM

    Good afternoon,

     

    From the work done through the case, I wanted to share a generic policy workflow including sample private key using our ACMEWarehouse sample request. I have attached 4 attachments for creating the payload in one service, consuming it another, the WSDL used, and the private key. To make this workflow work, you will need to publish 2 services using the WSDL provided with the URI /create and /consume (Ensure on WSDL tab that all operations accepted checked and that Get HTTP Method is set as default is just post), create a user in the internal identity provider called testuser with the password testpass, and import the corresponding policies into each service.  Send a get to the create service and take the raw response and put it into a post to the consume service. The output should have the signature validated, the body decrypted, and the soap header is removed.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 12.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 04-01-2017 04:42 AM

    Hi stephen_huges i am to run your policy but i got error can you will please help me to resolve this issue.



  • 13.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 04-04-2017 03:38 AM

    Hi arfin shaikh,

     

    At this stage, I suggest a new case be raised with CA support so we can specifically look into your case


    Regards

    Seenu Mathew



  • 14.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 05-23-2018 04:36 AM

    It looks like consuming policy only decrypts the message but does not verify the signature. Could you please provide an example in which the signature is also verified?



  • 15.  Re: Verify and decrypt WS Secure SOAP message in Gateway

    Posted 12-18-2018 01:32 PM

    Kevin,

     

    To force a signature validation, just add a "Require Signed Element" assertion above the "Require Encrypted Element" assertion in the consume policy.

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support